Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-1

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-1

From:	Gerd Hoffmann
Subject:	Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Date:	Fri, 5 Jun 2020 09:11:56 +0200

On Thu, Jun 04, 2020 at 03:59:05PM +0200, BALATON Zoltan wrote:
> On Thu, 4 Jun 2020, Gerd Hoffmann wrote:
> > > +        } else if (s->regs.mm_index > MM_DATA + 3) {
> > >              val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, 
> > > size);
> > 
> > MM_INDEX is 0
> > MM_DATA  is 4
> > "normal" registers start at 8.
> > 
> > So we want allow indirect access for offset 8 and above and deny offsets
> > 0-7.  mm_index is interpreted with an offset, see "- MM_DATA" in the
> > call above.
> 
> MM_INDEX is the register to read, addr - MM_DATA is an offset for unaligned
> access (when guest reads MM_DATA + 1, size=2 then we need to return
> regs[valueof(MM_INDEX) + 1], size=2.

Ah, right.  Scratch my comment then, patch is correct.
Added to vga queue.

thanks,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), P J P, 2020/06/04
- Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann, 2020/06/04
  - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), BALATON Zoltan, 2020/06/04
    - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann <=

Prev by Date: Re: [RFC] hw: nios2: update interrupt_request when STATUS_PIE disabled
Next by Date: RE: [RFC] hw: nios2: update interrupt_request when STATUS_PIE disabled
Previous by thread: Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Next by thread: Question about vhost-user-gpu on Arm64
Index(es):
- Date
- Thread